topic Re: Controling users in Operating System - HP-UX

Controling users

Leonid Mishkind — Tue, 24 Oct 2006 01:32:31 GMT

Hello to all!

I want to define a user that can not do rlogin/telnet/remsh/ssh to a server, but that I can "su" to it from any defined server.
Does anyone knows how to do this?

thank you.

Re: Controling users

Peter Godron — Tue, 24 Oct 2006 01:51:43 GMT

Hi,
not sure I understand. Your user is not allowed to connect to the machine, but the command su requires root password access ??
In order to use su you have to have a session, so you have to have logged on.
Please clarify.

Re: Controling users

Leonid Mishkind — Tue, 24 Oct 2006 01:58:57 GMT

No . what I mean is that I have A user that I login with it to a server lets call it "leonid" from user "leonid" I want to do a su to user "oracle" ( lets say I know the password ) . I want to make sure that no one does rlogin or telnet with user "oracle" only "su" to that user.

Is this better?

Re: Controling users

Peter Godron — Tue, 24 Oct 2006 02:33:36 GMT

Hi,
could you please try:
Include in /etc/profile
if [ $LOGNAME = oracle -a $0 != "-su" ]
then
echo "Error: oracle logins only via su"
exit
fi
Then try and log in as oracle (should fail).
Log on as "leonid" and su to oracle.
You can also play with /etc/default/security, setting SU_ROOT_GROUP
But best security is not to allow the oracle password to be known.

Re: Controling users

Peter Godron — Tue, 24 Oct 2006 02:48:20 GMT

Hi,
also found some similar requests:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1048593
and to restrict access to su:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=992121

If you found my replies helpful, please see:
http://forums1.itrc.hp.com/service/forums/helptips.do?#22 . Your profile shows you have only allocated points to 1 answer out of 9.

Re: Controling users

Steven E. Protter — Tue, 24 Oct 2006 02:48:23 GMT

Shalom,

A user must be logged in to su.

If you disable rlogin/telnet/remsh/ssh then the user can not log in and therefore can not su.

You can chroot the user and limit his/her access prior to the su.

I think your need to look at the larger picture concerning security here and set a reasonable goal, which is not apparent from your post.

SEP

Re: Controling users

FERRARI MARCO — Tue, 24 Oct 2006 10:08:42 GMT

I think we accomplished what you look for by:

1. disabling password-in-clear protocols ( rsh, telnet, ftp )

2. using the AllowGroups directive in sshd_config allowing definite groups to ssh to the system ( appl_users, system_admins, system_operators ); in those groups individual accounts are created and maintained, with use of the Trusted System features - like excluding them after 5 failed login tries

3. letting users su to oracle, appl-admin, root or other administrative accounts : that way, 2 passwords are needed for every administrative login

Regards,
Marco

Re: Controling users

Leonid Mishkind — Wed, 25 Oct 2006 02:14:22 GMT

Thanks to everyone fro the answers , unfortunately none of your answers suplied a solution for me:
Peter Gordon - I checked the solution through the /etc/profile but the param. $0 always contains "-sh" or "-ksh" no metter the way I loged in .

Unfortunately my system is not that secure and the login protocols are been used by user so I cant disable any of them.

I guess my main problem is that I am looking for a temporary and a qucik for implementation solution.

Thanks to all.

Re: Controling users

FERRARI MARCO — Wed, 25 Oct 2006 03:55:49 GMT

If you don't want to be secure try this:
1. copy ksh or sh to $DIR/become_oracle
2. make it a SUID program owned by oracle_admin
3. put an arbitrary string as oracle user password
4. users do: $DIR/become_oracle

This is horrible security-wise but should work.

Let me know, I don't think I tried it recently.

You make me a hacker, my friend,
Marco

Re: Controling users

Leonid Mishkind — Thu, 26 Oct 2006 03:40:01 GMT

following your advise I tried something like this.

leonid@server> cat become_oracle
su - oracle
leonid@server> ls -l become_oracle
-rwsr-xr-x 1 root sys 43 Oct 26 09:36 become_oracle

But ... when I execute the file with user leonid , I still get prompted for password.